Computer forensic examiners will perform the following steps during an investigation: (1) assess the case, (2) develop an approach for handling the case, (3) identify what resources are required, (4) obtain evidence, (5) generate a copy of collected evidence, (6) identify/mitigate perceived risks, (7) review initial steps taken, (8) recover/analyze digital artifacts, (9) generate a report, and finally (10) conduct a case review.
“Assessing the case” and “developing an approach” would be the investigator and examiner working together to narrow the scope of what could have happened and determining how best to identify/search for evidence. Resources that could be helpful to the examiner depend on what kind of case they are investigating. For example, if a case revolves around an iPhone used in a terrorist attack, required items may consist of a phone charger, suspect-provided PIN, and search warrant. More specifically, mobile forensic suites like iPhone Explorer, iPhone Analyzer, Lantern, or iXam may be all the difference in finding admissible evidence.
“Obtaining evidence” and “generating copies” provide the foundation for any computer forensics investigation. Following the limitations established within a search warrant is key to preventing legal issues. In the iPhone scenario, the examiner must only search what is specified in the warrant. This consideration also ties directly into handling risk. It’s important for investigators and examiners to document dilemmas they experience during a case. One iconic example is triggering a system fire upon opening a desktop computer. Lastly, recovering/analyzing digital artifacts, generating a report, and conducting a case review provide resolution to the investigation. If an examiner cannot find artifacts proving or suggesting the suspect is guilty, the dynamic of the allegations being brought against the suspect changes. Generating a report summarizes the chain of custody, steps taken during the case, and the suggested narrative for what may have occurred at the crime scene. Reviewing the case and how it was handled allows the investigator and examiner to determine if their performance and approach was effective.